Visual Studio Code-delivered JavaScript backdoor
Malware Activity
Summary
Hide ▲
Show ▼
North Korean threat actors are using malicious Next.js repositories in a fake job-recruitment campaign to trigger remote code execution (RCE) on developer systems and establish persistent command-and-control (C2). Microsoft says the repositories are disguised as technical assessment materials and use multiple execution paths, including Visual Studio Code workspace automation and Node.js-based loader behavior, to fetch and run attacker-controlled JavaScript. The activity is intended to reach source code, environment secrets, and build or cloud resources on infected machines.
Related Happenings
Npm typosquatting campaign distributing WinOS 4.0 implant
Campaign
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Npm typosquatting campaign distributing WinOS 4.0 implant
CampaignAbout this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
Campaign
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
CampaignAbout this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
MacOS living-off-the-land analysis exposing native-feature abuse
Technical Analysis
First: 22.04.2026 19:30
Last: 22.04.2026 19:30
Sources 1
About this happening:
Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...
MacOS living-off-the-land analysis exposing native-feature abuse
Technical AnalysisAbout this happening: Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...
Prt-scan GitHub pull_request_target supply-chain campaign
Campaign
First: 07.04.2026 00:38
Last: 07.04.2026 00:38
Sources 1
About this happening:
The **prt-scan** campaign used **AI-assisted automation** to scale a broad **GitHub supply-chain** operation, increasing risk for repositories configured with `pull_request_target...
Prt-scan GitHub pull_request_target supply-chain campaign
CampaignAbout this happening: The **prt-scan** campaign used **AI-assisted automation** to scale a broad **GitHub supply-chain** operation, increasing risk for repositories configured with `pull_request_target...
Timeline
-
22.01.2026 00:00 3 articles · 4mo ago
Contagious Interview adds VS Code backdoor delivery
Initial DisclosureJamf Threat Labs disclosed that North Korean threat actors behind the Contagious Interview campaign are using a new Visual Studio Code delivery path that lures software developers to open malicious GitHub or GitLab repositories, prompts them to trust the repository author, and then executes a malicious configuration file that can run arbitrary commands and drop a previously unseen JavaScript backdoor via Node.js on macOS systems.
Show sources
- 'Contagious Interview' Attack Now Delivers Backdoor Via VS Code — www.darkreading.com — 22.01.2026 00:00
- 'Contagious Interview' Attack Now Delivers Backdoor Via VS Code — www.darkreading.com — 22.01.2026 00:00
- Malicious Next.js Repos Target Developers Via Fake Job Interviews — www.darkreading.com — 25.02.2026 18:42